Login/Logout events
Robert Evans
bob.evans at jhuapl.edu
Thu May 3 17:17:24 UTC 2007
Yup, you are absolutely right.
FC5 currently has an update to 4.3p2-12 (not 13 yet), and it doesn't work
FC6 currently runs 4.3p2-19, and it does indeed produce the logout event.
Thanks for the quick feedback!
Steve Grubb wrote:
> On Thursday 03 May 2007 10:00, Robert Evans wrote:
>> In doing some testing with the last audit module (testing on FC5) I found
>> the following behavior
>>
>> 1. login and logout events recorded from GDM login
>> 2. login and logout events recorded from su
>> 3. login events recorded from ssh connections, no logout events (USER_END)
>> logged.
>
> Login is marked by the USER_LOGIN event. There should be a USER_START event
> that identifies the beginning of the session. A USER_END event denotes the
> end of the session. So, for "su"...you should see a session begin, not a
> login.
>
>> Is there something I need to do to catch these ssh disconnects?
>
> Update openssh. This was a bug in that the logging of this event was done from
> a place where not enough privileges existed. I think 4.3p2-13 has the fix
> for it.
>
> -Steve
>
More information about the Linux-audit
mailing list